ETSI approves new European PDF signature standard

The Electronic Signature Initiative group of the European Telecommunication Standards Institute, ETSI ESI, approved PAdES, the European standard for PDF Advanced Electronic Signatures on March 18, 2009.

PAdES, or ETSI standard TS 102 778, is ETSI’s continuation of EU commission funded standardization of Advanced Electronic Signatures in support of the EU Electronic Signature Directive from 1999. PAdES is the third signature standard in the ETSI series covering signatures on PDF documents. Previously published ETSI signature standards have specified signatures on XML documents (XAdES) and signatures using CMS (CAdES) where CMS is the ASN.1 based signature (Cryptographic Message Syntax) developed by IETF as part of the S/MIME standards series for secure e-mail.

Now, one could ask, why is ETSI developing standards for signatures for document formats that already have standardized signature formats?XML Dsig from IETF and OASIS already specifies signatures on XML, CMS already defines signed data and ISO 32000 already defines signatures on PDF.

An important answer is answer is that the ETSI standards builds and extends these existing standards in order to allow the signer and verifier to bundle more signature creation and verification data to the signature. One of the most important features with the ETSI standards are that they allow time stamps and certificate revocation data such as revocation lists and OCSP messages (On Line Certificate Status Protocol) to be stored with the signature for later processing. This could be used to enhance the ability to verify a signature at some time in the future when the current verification data otherwise would not be available any more.One example is that is would allow verification of a signature using a revoked certificate if the time stamps and revocation information stored with the signature support that the signature was created at a time when the verification certificate was still valid.

Still, implementation of these standards is relatively limited, mainly for two reasons.

These more advanced forms of electronic signatures are not required to fulfill the requirement of the EU directive on electronic signatures. • The original versions of these standards required the signer to use this advanced signature format in order to allow the receiver to add more verification data to it. This has drastically reduced the utility of these standards compared with if they had allowed a verifier to use this standard to enhance a normal signature by adding verification data to the signed document for later use.

The last of these two issues has been a significant focus area for efforts to update the standards in the past.